ProArch POV: 4 Experts Share Their Cloud Security Best Practices
According to IBM, over 45 percent of breaches occur in the cloud, with the average cost of a data breach in organizations with public clouds being $4.24M. As organizations continue to grow and modernize their cloud footprint, they need to stay up to date with cybersecurity approaches that protect users, applications, and data, as well as support compliance objectives.
Of course, just like everything else with technology, there is no “one way” to protect a cloud environment. That’s why we sat down with ProArch cloud, security, and data protection experts to get their point of view (POV) on cloud security. Here is what they had to say.
Michael Wurz: Security Solution Architect and Technical Lead
With the shift to cloud and remote work, accessibility has become a key pillar in an organization’s technology architecture. This has made business data and identities more accessible than ever, offering a better user experience. However, it has also introduced a new era of risk. Securing all layers of the cloud has become imperative to every company, as the impact and ramifications of an account compromise can be damaging to both an organization’s finances and its reputation.
For a security program to be successful, organizations need proper auditing, centralization, and retention of identity activity—as well as swift detection and response workflows following the concept of zero trust.
Identity detection and response (IDR) was designed to bridge that gap and help reduce the likelihood and impact of a compromised identity. IDR incorporates the following defenses:
- Risk-based policies to block risky events, such as impossible travel
- Investigation into all risky events—allowed and blocked—regardless of the severity
- Correlated sign-in activity compared to related logs, such as DNS traffic, to further determine the likelihood of a compromise
- External and dark web monitoring for precursors to identity attacks, like similar domain registration for impersonation attacks
Organizations also need to understand the importance of identity security and stopping bad actors in the early stages of their attacks. Detecting and preventing a perpetrator before they gain entry significantly reduces the likelihood of an incident from occurring.
David Trum: CEO of Trum & Associates, a ProArch company
Whether it’s a large company or a small cloud provider, the best organizations follow the ISO 27001 Information and Security Management System Standard to assess and manage risks and threats to the business as well as maintain best-practice physical security. Another essential standard is the Federal Risk and Authorization Management Program (FedRAMP), which is a framework that enables US government agencies to use cloud services securely and efficiently. While FedRAMP is not required for private organizations that are not related to federal agencies or departments, it is strongly recommended for all companies using cloud computing. In the end, a cloud provider can only protect its customer to a point.
Each business understands its own data best and must take additional measures to protect intellectual property, patient information, and other information that is unique to its business. Data loss prevention (DLP) tools offer a wide array of detection methods, both on-premises and in the cloud, for sensitive data being in or moving to the wrong place and can automatically take protective action.
Depending on the size of the business and the nature of the data, its loss can result in fines, lawsuits, or reputation damage that could be existential. Avoid this requires a data protection program that brings together automation and skilled resources to review the most relevant events and help change employee behavior to reduce overall risk over time.
Greg Dodge: Cloud and Infrastructure Architect
Security, like onions and ogres, has many layers.
The zero-trust framework relies on many layers to provide a defense-in-depth approach to securing IT systems in real time. It departs from the “trust but verify” principle by flipping the script to “never trust, always verify” early and often, like applying sunscreen at the beach.
It begins with authentication using multifactor authentication (MFA), authorization with least-privilege permissions, and risk-based conditional access to make security admins happy. The “mother may I” approach to firewalls that only allows defined traffic and blocks all other traffic gives the networking team warm fuzzies. Endpoint Detection and Response (EDR) agents that constantly watch for patterns of use on desktops, servers, and cloud systems allow the IT manager to sleep at night.
All of this is a false sense of security if it is not applied correctly. Like sunscreen, if you fail to use it as it needs to be used, you will get burned.
This is not a negative opinion on zero trust. All its principles are solid and based on some extremely hard lessons learned. The risk is that some organizations will implement some portion(s) of zero trust and leave them at that, thinking they are done. Unfortunately, bad actors are as determined as velociraptors trying to get out of their cages, frequently probing and adapting to overcome defenses.
Zero trust cannot be left alone: It requires constant maintenance through new layers of automation, orchestration of new protocols, and communication with users on what is in it for them. Not everyone likes updating security, but you cannot have your cake and eat it too. Otherwise, your security posture might start to stink, make you cry, or turn brown and sprout little white hairs.
James Spignardo: VP of Cloud and Infrastructure
The modern era of work has created several challenges for IT and security leaders who need to maintain an elevated level of protection for their organizations. Meanwhile, if a company wants to maintain a competitive edge and recruit top talent, it must be willing to accept the reality of remote and hybrid work environments, which is why desktop as a service (DaaS) is becoming an increasingly popular solution.
DaaS delivers several security benefits that bring peace of mind that users, systems, and data are secure. Administrators can apply patches and updates from a centralized location and monitor user activity and control access to sensitive data, ensuring that only authorized users have access to critical information. DaaS also employs advanced security measures such as multifactor authentication, encryption, and intrusion-detection systems to secure the virtual desktop environment.
At the end of the day, DaaS provides a controlled and secure environment for employees to access company data and applications, which is more important than ever.
While there’s no one-size-fits-all approach to cloud security, it is something every organization needs to consider as its cloud footprint grows and attacks become more common and complex. And cloud cybersecurity is not the only thing that is on IT leaders’ minds.
Stay tuned for the next blog in the ProArch POV series, where we will continue to provide actionable advice, tips, and experiences from the people who understand the ins and outs of tech most, including cybersecurity; governance, risk, and compliance; data analytics and AI; cloud; and more. Let us empower your team to turn obstacles into opportunities.